Revision3 CEO: Blackout caused by MediaDefender attack

Revision3, the Internet television network behind popular shows like Diggnation, experienced a serious network failure over Memorial Day weekend. CEO Jim Louderback revealed today that the outage was caused by a massive denial of service attack that he says was perpetrated by MediaDefender, a file-sharing mitigation firm that gets paid by Big Content to disrupt peer-to-peer networks.

A SYN flood aimed at Revision3's BitTorrent tracker clogged the company's tubes and brought down all of its web services. The traffic logs indicated that the network was getting slammed by over 8,000 packets every second. Revision3 tracked the source of the packets and discovered that the attack originated from MediaDefender, at which point Louderback confronted the company's executives. ArtistDirect CEO Dimitri Villard and MediaDefender vice president Ben Grodsky admitted to Louderback that they had been exploiting the lax security configuration of Revision3's BitTorrent tracker and using it to conduct decoying operations, but they disavowed knowledge of the denial of service attack and claimed that their servers were only pinging Revision3 once every three hours.

P2P poisoning

As we explained last year in our detailed examination of MediaDefender's peer-to-peer poisoning tactics, MediaDefender often serves and vigorously propagates fake or damaged files that are labeled in a manner that makes them appear to be commercial content. MediaDefender attempts to push its faked files to the top of popular search engines so that when pirates are attempting to illegally obtain content produced by one of MediaDefender's customers, downloaders will get MediaDefender's broken files instead. This tactic is referred to as "decoying." MediaDefender was likely using the backdoor in Revision3's tracker so they could propagate decoy torrent files for third-party commercial content.

MediaDefender also uses denial of service attacks to flood out servers that are distributing copyrighted material without authorization—a tactic that it refers to as "interdiction." The goal of an interdiction operation is to temporarily impede propagation of new releases so that filesharers will be compelled to use legitimate commercial distribution channels. MediaDefender has an extremely powerful network infrastructure—consisting of a 9GBps dedicated line and an array of over 2,000 servers—that it uses for spoofing and interdictions.

Louderback notes that his company had recently increased security on its tracker. He believes that MediaDefender's network automatically launched the SYN flood in retaliation when it could no longer exploit Revision3 for its decoying distribution purposes.

"Although I can only guess, here's what I think really happened. Media Defender was abusing one of Revision3's servers for their own purposes—quite without our approval. When we closed off their backdoor access, MediaDefender's servers freaked out, and went into attack mode—much like how a petulant toddler will throw an epic tantrum if you take away an ill-gotten Oreo," Louderback wrote in a blog entry. "That tantrum threw upwards of 8,000 SYN packets a second at our servers. And that was enough to bring down both our public-facing site, our RSS server, and even our internal corporate e-mail—basically the entire Revision3 business."

Bringing in the FBI

MediaDefender attempted to assure Louderback that steps would be taken to prevent a repeat of the incident, but he isn't impressed. He says that the FBI is investigating the matter and points out that denial of service attacks fall afoul of the Economic Espionage Act and the Computer Fraud and Abuse Act. MediaDefender could be in serious trouble for its latest antics. We attempted to contact MediaDefender to get their perspective on the situation with Revision3, but the company has not yet responded to our request for comment.

This isn't the first time that MediaDefender has faced scrutiny. The company was accused of perpetrating an entrapment scheme last year when it was discovered that MediaDefender was behind MiiVi, a web site that offered full-length movie downloads. MediaDefender vigorously denied the allegations and told Ars that the site was an internal experiment that was never intended to be made public.

MediaDefender found itself uncomfortably under the microscope again last year when hundreds of megabytes of internal company e-mail were leaked to the public by an anti-MediaDefender group that had intercepted the messages. The information disclosed through the leak revealed that MediaDefender had lied about its activities with MiiVi and was even planning on resurrecting the scheme. MediaDefender retaliated against the leakers by launching an interdiction attack against their web site, but ultimately failed to prevent the e-mails from spreading.

BitTorrent is increasingly being used for legitimate media distribution by all sorts of content creators ranging from innovative startups to major companies. MediaDefender's indiscriminate abuse of torrent trackers threatens to damage businesses that use BitTorrent legally. "If it can happen to Revision3, it could happen to your business too," Louderback ominously proclaims. Indeed, MediaDefender's aggressive practices threaten to hurt companies that legally use newer content-distribution business models.